File Permission Suggestion

John E. Malmberg malmberg at Encompasserve.org
Thu Aug 9 17:03:26 GMT 2001 

On Thu, 9 Aug 2001, Esh, Andrew wrote:

> I have been working with Access Control Lists (ACL), and I have a suggestion
> which may improve Samba's file permission handling. For those of you who are
> not aware of what ACLs are, here is a short description:

<snip>

I recommend leaving the Owner, Group, and Everyone present in the ACL
list presented to the USER.

You may want to change the SMB.CONF file to allow alternate names for
these groups, such as "Unix Owner", "Unix Group", and "Unix World".

In my case, these would be "OpenVMS Owner", ...

If you do not present these names back to the user, you are not presenting
them with the true security access to the file.

If the only access to the files is through SAMBA, then you have more
leeway in what you can do.

But much of the desire for SAMBA is to be able to share the same files in
both a LANMAN and UNIX or other host environment, and as such the person
must be aware of what is going on.


Of a related note, the READONLY dos attribute can not be implemented
on SAMBA to work the same way as on NT.

You can allow a client to set a file READONLY, but not to clear it.
Why?

Because you do not know if the user intended to grant write access to
only themselves or the group and world.

On OpenVMS, I chose to implement the some of the DOS attributes as report
only.

S - The file has been -Tested- to be READ only using normal SYSTEM (root)
    privileges.

A - The file does not have a backup date recorded.

R - The file has been -Tested- to be READ only to the current user.  This
    usually implies that the group and world also can not write to the
    file.  Because of underlying ACLs in the OpenVMS operating system,
    that may not be true.

I am still trying to determine the pros and cons of allowing the
Archive bit to be cleared by the end user.  Improper use can cause files
to not be backed up.  While there is nothing to prohibit a user from
recording the file as backed up, most users do not.

However it seems that there are some PC software products that are doing
some tricks with the Archive bit.  They may need this flexabilty.

So far there has been no feedback on this from the OpenVMS SAMBA users.
Previous to SAMBA 2.0.6 on OpenVMS, the S and A bits were not available.


-John
wb8tyw at qsl.network
Personal Opinion Only.

More information about the samba-technical mailing list